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We propose the use of Soft Constraints as a natural way to model Service Oriented Architecture. In 
the framework, constraints are used to model components and connectors and constraint aggregation 
is used to represent their interactions. The "quality of a service" is measured and considered when 
performing queries to service providers. Some examples consist in the levels of cost, performance 
and availability required by clients. In our framework, the QoS scores are represented by the softness 
level of the constraint and the measure of complex (web) services is computed by combining the 
levels of the components. 



1 Introduction 

Constraint programming is a powerful paradigm for solving combinatorial search problems that draws 
on a wide range of techniques from artificial intelligence, computer science, databases, programming 
languages, and operations research [|9j El I2I1- It is currently applied with success to many domains, 
such as scheduling, planning, vehicle routing, configuration, networks, and bioinformatics. The basic 
idea in constraint programming is that the user states the constraints and a general purpose constraint 
solver solves them. Constraints are just relations, and a Constraint Satisfaction Problem (CSP) states 
which relations should hold among the given decision variables (we refer to this classical view as "crisp" 
constraints). Constraint solvers take a real-world problem, represented in terms of decision variables and 
constraints, and find an assignment of values to all the variables that satisfies all the constraints. 

Rather than trying to satisfy a set of constraints, sometimes people want to optimize them. This 
means that there is an objective function that tells us the quality of each solution, and the aim is to find 
a solution with optimal quality. For example, fuzzy constraints ||9l |2] |25l allow for the whole range of 
satisfiability levels between and 1 . In weighted constraints, instead, each constraint is given a weight, 
and the aim is to find a solution for which the sum of the weights of the satisfied constraints is maximal. 

The idea of the semiring -based formalism EE] was to further extend the classical constraint notion, 
and to do it with a formalism that could encompass most of the existing extensions, as well as other ones 
not yet defined, with the aim to provide a single environment where properties could be proven once 
and for all, and inherited by all the instances. At the technical level, this was done by adding to the 
usual notion of a CSP the concept of a structure representing the levels of satisfiability of the constraints. 
Such a structure is a set with two operations (see Sec. [2] for further details): one (written +) is used to 
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generate an ordering over the levels, while the other one (x) is used to define how two levels can be 
combined and which level is the result of such combination. Because of the properties required on such 
operations, this structure is similar to a semiring (see Sec. [2]): from here the terminology of "semiring- 
based soft constraint" lUEl (and Sec. [2]), that is, constraints with several levels of satisfiability, and whose 
levels are (totally or partially) ordered according to the semiring structure. In general, problems defined 
according to the semiring-based framework are called Soft Constraint Satisfaction Problems (SCSPs). 

The aim of this paper is to apply Quality of Service (QoS) measures for Service Oriented Archi- 
tectures (SOAs) 11241 l23l . Such architecture outlines a way of reorganizing software applications and 
infrastructure into a set of interacting services and aims at a loose coupling of services with operating 
systems, programming languages and other technologies. A SOA separates functions into distinct units 
or services, and these services communicate with each other by passing data from one service to another, 
or by coordinating an activity between two or more services. Web services IT2T1 Q] can implement a 
service-oriented architecture. 

SOAs clearly represent a distributed environment and QoS aspects become very important to evalu- 
ate, since the final integrated service must fulfill the non-functional requirements of the final users; this 
composition needs to be monitored E4l [231 . We are also interested in representing contracts and Ser- 
vice Level Agreements Q] EH (SLAs) in terms of constraint based languages. The notions of contract 
and SLAs are very important in SOC since they allow to describe the mutual interactions between com- 
municating parties and to express properties related to the quality of service such as cost, performance, 
reliability and availability. The existing languages for describing Web services (e.g. WSDL, WS-CDL 
and WS-BPEL) are not adequate for describing contracts and SLAs and, so far, there exists no agreement 
on a specific proposal in this sense: a general, established theory of contracts is still missing lPTll2"Tll. 

The key idea of this paper is to use the a soft constraint framework in order to be able to manage SOAs 
in a declarative fashion by considering together both the requirements/interfaces of each service and their 
QoS estimation lf30l l27l l28l . C-semirings can represent several QoS attributes, while soft constraints 
represent the specification of each service to integrate: they link these measures to the resources spent 
in providing it, for instance, "the reliability is equal to 80% plus 5% for each other processor used to 
execute the service". This statement can be easily represented with a soft constraint where the number of 
processors corresponds to the x variable, and the preference (i.e. reliability) level is given by the 5^ + 80 
polynomial. 

Beside expressivity reasons, other advantages w.r.t. crisp constraints are that soft constraints can 
solve over-constrained problems (i.e. when it is not possible to solve all of them at the same time) and 
that, when we have to deal with quality, many related concepts are "smooth": quality can be represented 
with intervals of "more or less" acceptable values. It has been proved that constraint in general are 
a powerful paradigm for solving combinatorial search problems ||9j |2j [23. Moreover, there exists a 
wide body of existing research results on solving (soft) CSP for large systems of constraints in a fully 
mechanized manner (£10. 

The paper is organized as follows: Sec. [2] presents the minimum background notions needed to 
understand soft constraints, while Sec.|3]closes the introductory part by defining SOAs, QoS aspects and 
by showing how semiring instantiations can represent these non-functional aspects. Sec.[4]shows that the 
use of soft constraints permits us to perform a quantitative analysis of system integrity. Section [5] shows 
how QoS can be modeled and checked by using a soft constraint-based formal language. Finally, Sec. [6] 
present the related work, while Sec. [7] draws the final conclusions and discusses the directions for future 
work. 
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2 Background on Soft Constraints 

Absorptive Semiring. An absorptive semiring [5] S can be represented as a (A,+, X,0,1) tuple such 
that: i) A is a set and 0,1 G A; it) + is commutative, associative and is its unit element; Hi) x is 
associative, distributes over +, 1 is its unit element and is its absorbing element. Moreover, + is 
idempotent, 1 is its absorbing element and x is commutative. Let us consider the relation <s over A 
such that a <$ b iff a + b = b. Then it is possible to prove that (see [ 6 ]): i) <s is a partial order; ii) + and 
x are monotonic on <$; Hi) is its minimum and 1 its maximum; iv) (A, <$) is a complete lattice and, 
for all a,b G A, a + b = lub(a,b) (where lub is the least upper bound). Informally, the relation <$ gives 
us a way to compare semiring values and constraints. In fact, when we have a <s b (or simply a < b 
when the semiring will be clear from the context), we will say that b is better than a. 

In Q the authors extended the semiring structure by adding the notion of division, i.e. as a weak 
inverse operation of x. An absorptive semiring S is invertible if, for all the elements a,b G A such that 
a < b, there exists an element c G A such that b x c = a 1H. If S is absorptive and invertible, then, S is 
invertible by residuation if the set {x G A \ b x x = a} admits a maximum for all elements a,b G A such 
that a < b ISIl. Moreover, if S is absorptive, then it is residuated if the set {x G A | b x x < a} admits 
a maximum for all elements a,b G A, denoted a -j- With an abuse of notation, the maximal element 
among solutions is denoted a-^b. This choice is not ambiguous: if an absorptive semiring is invertible 
and residuated, then it is also invertible by residuation, and the two definitions yield the same value. 

To use these properties, in Q it is stated that if we have an absorptive and complete semiring] then 
it is residuated. For this reason, since all classical soft constraint instances (i.e. Classical CSPs, Fuzzy 
CSPs, Probabilistic CSPs and Weighted CSPs) are complete and consequently residuated, the notion of 
semiring division (i.e. -=-) can be applied to all of them. 

Soft Constraint System. A soft constraint JH 13 may be seen as a constraint where each instantiation 
of its variables has an associated preference. Given S = (A,+, x,0,l) and an ordered set of variables 
V over a finite domain D, a soft constraint is a function which, given an assignment r\ : V — » D of the 
variables, returns a value of the semiring. Using this notation ^€ = r\ — ► A is the set of all possible 
constraints that can be built starting from S, D and V. 

Any function in ^ involves all the variables in V, but we impose that it depends on the assignment 
of only a finite subset of them. So, for instance, a binary constraint c Xj y over variables x and y, is a 
function c X y : (V — ► D) — ► A, but it depends only on the assignment of variables {x,y} C V (the support 
of the constraint, or scope). Note that cr\ [v := d\] means cf]' where v\' is v\ modified with the assignment 
v := d\. Notice also that, with ctj, the result we obtain is a semiring value, i.e. cq = a. 

Given set c tf, the combination function (g) : ^ x ^€ — > is defined as (ci ®C2)t] = c\T] x c^ (see also 
OH El)- Having defined the operation -j- on semirings, the constraint division function Q- : ^ x ^ — > ^ 
is instead defined as [c\ Q-C2)f] = c\T\ -j-caT] [5]. Informally, performing the (g> or the Q- between two 
constraints means building a new constraint whose support involves all the variables of the original ones, 
and which associates with each tuple of domain values for such variables a semiring element which 
is obtained by multiplying or, respectively, dividing the elements associated by the original constraints 
to the appropriate sub-tuples. The partial order <s over ^ can be easily extended among constraints 
by defining c\Qc2 <^=^ c\f] < C2T7. Consider set ^ and partial order C. Then an entailment relation 
HC x is defined s.t. for each C G p(tf) and c G c i, we have Che <=^ <g)C C c (see also EJH)- 



If 5 is an absorptive semiring, then 5 is complete if it is closed with respect to infinite sums, and the distributivity law holds 
also for an infinite number of summands. 
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<a,a>— 5 
<a,b>^ 1 
<b,a>^ 2 
<b,b>^ 2 




Figure 1: A soft CSP based on a Weighted semiring. 



Given a constraint c £ "Sf and a variable v £ V, the projection (6j |2l [8) of c over V\{v}, written 
c JJ-(y\{, }) is the constraint d s.t. c't7 = Y,deD cr l [ v := <^]- Informally, projecting means eliminating some 
variables from the support. This is done by associating with each tuple over the remaining variables 
a semiring element which is the sum of the elements associated by the original constraint to all the 
extensions of this tuple over the eliminated variables. To treat the hiding operator of the language, a 
general notion of existential quantifier is introduced by using notions similar to those used in cylindric 
algebras. For each x £ V, the hiding function J2j[8l is defined as (3^c)tj = Y<deD cr l[ x := di\. 

To model parameter passing, for each x,y eVa diagonal constraint [2j [H is defined as dxy £ 
s.t., d xy r\[x := a,y := b) = 1 if a = b and d xy r\[x := a,y := b] = if a ^ b. Considering a semiring 
S = (A,+, x,0,l), a domain of the variables D, an ordered set of variables V and the corresponding 
structure c £, then Sc = (^,<8>,0,l,=l x ,4^)r]is a cylindric constraint system ("a la Saraswat" ||8l). 



Soft CSP and an Example. A Soft Constraint Satisfaction Problem (SCSP) [ 2 ] defined as P = (C, con) : 
C is the set of constraints and con C V is the set of variables of interest for the constraint set C, which 
however may concern also variables not in con. This is called the best level of consistency and it is 
defined by blevel(P) = Sol(P) U, where Sol(P) = ((g) C) ^ con ; notice that supp{blevel{P)) = 0. We 
also say that: P is a-consistent if blevel(P) = a; P is consistent iff there exists a >s such that P is 
a-consistent; P is inconsistent if it is not consistent. 

Figure [T] shows a weighted CSP as a graph. Variables and constraints are represented respectively by 
nodes and by undirected arcs (unary for c\ and C3, and binary for ci), and semiring values are written to 
the right of each tuple. The variables of interest (that is the set con) are represented with a double circle 
(i.e. variable X). Here we assume that the domain of the variables contains only elements a and b. For 
example, the solution of the weighted CSP of Fig.[T]associates a semiring element to every domain value 
of variable X. Such an element is obtained by first combining all the constraints together. For instance, 
for the tuple (a, a) (that is, X = Y = a), we have to compute the sum of 1 (which is the value assigned 
to X = a in constraint c\), 5 (which is the value assigned to (X = a,Y = a) in c<i) and 5 (which is the 
value for Y = a in C3). Hence, the resulting value for this tuple is 11. We can do the same work for 
tuple (a, b) — ► 7, (b,a) — > 16 and (b,b) — > 16. The obtained tuples are then projected over variable x, 
obtaining the solution (a) — > 7 and (b) — > 16. The blevel for the example in Fig. [I] is 7 (related to the 
solution X = a, Y = b). 



2 6 and 1 respectively represent the constraints associating and 1 to all assignments of domain values; in general, the a 
function returns the semiring value a. 
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3 Service Oriented Architectures and QoS Aspects 

Service Oriented Architecture (SOA) can be defined as a group of services, which communicate with 
each other ll24ll23Tl . The process of communication involves either simple data passing or it could involve 
two or more services coordinating some activity. Basic services, their descriptions, and basic operations 
(publication, discovery, selection, and binding) that produce or utilize such descriptions constitute the 
SOA foundation. The main part of SOA is loose coupling of the components for integration. Services are 
defined by their interface, describing both functional and non-functional behaviour. Functional includes 
describing data formats, pre and post conditions and the operation performed by the service. Non- 
functional behaviour includes security and other QoS parameters. The main four features of SOA consist 
in Coordination, Monitoring, Conformance and Quality of Service (QoS) composition [24]. 

Services are self describing, open components that support rapid, low-cost composition of distributed 
applications. Services are offered by service providers, which are organizations that procure the service 
implementations, supply their service descriptions, and provide related technical and business support. 
Since services may be offered by different enterprises and communicate over the Internet, they provide 
a distributed computing infrastructure for both intra and cross-enterprise [1] application integration and 
collaboration. Service descriptions are used to advertise the service capabilities, interface, behaviour, 
and quality. Publication of such information, about available services, provides the necessary means for 
discovery, selection, binding, and composition of services. Service clients (end-user organizations that 
use some service) and service aggregators (organizations that consolidate multiple services into a new, 
single service offering) utilize service descriptions to achieve their objectives. 

QoS measures include also dependability aspects: dependability as applied to a computer system is 
defined by the IFIP 10.4 Working Group on Dependable Computing and Fault Tolerance as [20]: "[..] 
the trustworthiness of a computing system which allows reliance to be justifiably placed on the service it 
delivers [..]". 

Some different QoS/dependability measurements can be applied to a system to determine its overall 
quality. A very general list of attributes is: i) Availability - the probability that a service is present and 
ready for use; ii) Reliability - the capability of maintaining the service and service quality; Hi) Safety - 
the absence of catastrophic consequences; iv) Confidentiality - information is accessible only to those 
authorized to use it; v) Integrity - the absence of improper system alterations; and vi) Maintainability - 
to undergo modifications and repairs. Some of these attributes, as availability, are quantifiable by direct 
measurements (i.e. they are rather objective scores), but others are more subjective, e.g. safety. 

The semiring algebraic structures (see Sec. [2]) prove to be an appropriate and very expressive cost 
model to represent the QoS metrics shown in this Section. The cartesian product of multiple c-semirings 
is still a c-semiring [2] and, therefore, we can model also a multicriteria optimization. In the following 
list we present some possible semiring instantiations and some of the possible metrics they can represent: 

• Weighted semirings (l + ,mm, +,oo 5 0) (+ is the arithmetic sum). In general, this semiring can 
represent additive metrics: it can be used to count events or quantities to minimize the resulting 
sum, e.g. to save money while composing different services with different costs, or to minimize 
the downtime of service components (availability and reliability can be modeled this way). 

• Fuzzy semirings ([0, l],max,min,0, 1). It can be used to represent fuzzy preferences on compo- 
nents, e.g. low, medium or high reliability when detailed information is not available. This semiring 
can be used to represent concave metrics, in which the composition result of all the values is ob- 
tained by "flattening" to the "worst" or "best" value. One more application example is represented 
by the aggregation of bandwidth values along a network route or, however, by aggregating concave 
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values on a pipeline of sub-services. 

• Probabilistic semirings ([0,1], max, x , 0, 1 ) ( x is the arithmetic multiplication). Multiplicative me- 
trics can be modeled with this semiring. As an example, this semiring can optimize (i.e. maximize) 
the probability of successful behavior of services, by choosing the composition that optimizes the 
multiplication of probabilities. For example, the frequency of system faults can be studied from a 
probabilistic point of view; also availability can be represented with a percentage value. 

• Set-Based semirings (<5^(A) , U, Pi, 0, A). Properties and features of the service components can be 
represented with this semiring. For example, in order to represent related security rights, or time 
slots in which the services can be used (security issues). 

• Classical semirings ({0, 1}, V, A,0, 1). The classical semiring can be adopted to cast crisp con- 
straints in the semiring-based framework defined in 00. Even this semiring can be used to check 
if some properties are entailed by a service definition (i.e. true of false values), by composing the 
properties of its components together. 

4 Soft Constraints to Enforce System Integrity 

In this Section we show that soft constraints can model the implementation of a service described with 
a policy document HJ |2T1 ; this really happens in practice by using the Web Services Description Lan- 
guage (WSDL) that is an XML-based language that provides a model for describing web services EH . 
Moreover, by using the projection operator (i.e. JJ- in Sec. [2]) on this policy, which consists in the com- 
position (i.e. (g) in Sec. [2]) of different soft constraints, we obtain the external interface of the service 
that are used to match the requests. This view can be used to check the integrity of the system, that is 
if a particular service ensures the consistency of actions, values, methods, measures and principles; as a 
reminder, integrity can be seen as one of the QoS attributes proposed in Sec. [3] The integrity attribute 
is very important when different sub-services from distinct providers are composed together to offer a 
single structured service. The results presented here are inspired by the work in Q . 

For the scenario example in Fig. [2j suppose to have a digital photo editing service decomposed as a 
set of sub-services; the compression/decompression module (i.e. COMPF) is located on the client side, 
while the other filter modules are located on the side of the editing company and can be reached through 
the network. The first module, i.e. BWF turns the colors in grey scale and the REDF filter absorbs green 
and blue and let only red become lighter. The client wants to compress (e.g. in a JPEG format) and send 
a remarkable number of photos (e.g. the client is a photo shop) to be double filtered and returned by the 
provider company; filters must be applied in a pipeline scheme, i.e. REDF goes after BWF. 

The structure of the system represented in Fig. [2] corresponds to & federated system. It is defined 
as a system composed of components within different administrative entities cooperating to provide a 
service [1J; this definition perfectly matches our idea of SOA. 

As a first example we consider the Classical semiring presented in Sec. [3] therefore, in practice 
we show a crisp constraint case. We suppose to have four variables outcomp, incomp, bwbyte and 
redbyte, which respectively represent the size in bytes of the photo at the beginning of the process, 
after applying the black-and-white filter, the red filter and after compressing the obtained black-and- 
white photo. Since the client has a limited memory space, it wants that the memory occupied by the 
photo does not increase after the filtering and compressing process: 



Memory = incomp < outcomp 
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Federated System 



Figure 2: A federated photo editing system. 

The following three constraints represent the policies compiled respectively by the staff of the BWF 
module, the REDF module and COMPF module. They state, following their order, that applying the 
BWF filter reduces the size of the image, applying the REDF filter reduces the size of the received 
black-and-white image and, at last, compressing the image reduces its size. 

BWFilter = bwbyte < outcomp 

REDFilter = red byte < bwbyte 

Compression = incomp < red byte 
The integration of the three policies (i.e. soft constraints) describes 

Impl = BWFilter® RedFilter® Compression 
Integrity is ensured in this system since Impl ensures the high-level requirement Memory. 

lmpl^{incomp,outcom P } E Memory 

We are unconcerned about the possible values of the 'internal' variables bwbyte and redbyte and 
thus the constraint relation lmpl^{ incomp outcomp } describes the constraints in Impl that exist between 
variables incomp and outcomp}. By definition, the above equation defines that all of the possible solu- 
tions of lmpl^r incomp jOUtcomp } are solutions of Memory, that is, for any assignment T7 of variables then 

ImpljKincomp.outcomp} ^ ~ S Mem ° r y 

Definition 4.1 We say that the requirement S locally refines requirement R through the interface de- 
scribed by the set of variables V iffSuy [Z Ruy. 

Continuing the example in Fig. |2j we assume that the application system will behave reliably and 
uphold BWFilter and Compression. Let us suppose instead that it is not reasonable to assume that REDF 
will always act reliably, for example because the software of the red filter has a small bug when the size 
of the photo is 666Kbyte. In practice, REDF could take on any behavior: 

Red Filter = (redbyte < bwbyte V redbyte > bwbyte) = true 
Imp2 = BWFilter® Red Filter (g) Compression 
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if outcomp < 1024Kb 
if outcomp > 4096Kb 
otherwise. 



c\ (outcomp, bwbyte) = < 







1- 



outcomp 



ioo ■ bwbyte 



Imp2 is a more realistic representation of the actual filtering process. It more accurately reflects the relia- 
bility of its infrastructure than the previous design Impl. However, since red byte is no longer constrained 
it can take on any value, and therefore, incomp is unconstrained and we have 



that is, the implementation of the system is not sufficiently robust to be able to deal with internal failures 
in a safe way and uphold the memory probity requirement. 

In |[T6l [T71 the author argues that this notion of dependability may be viewed as a class of refinement 
whereby the nature of the reliability of the system is explicitly specified. 

Definition 4.2 (Dependability and Constraints IfR gives requirements for an enterprise and S is its 
proposed implementation, including details about the nature of the reliability of its infrastructure, then S 
is as dependably safe as R at interface that is described by the set of variables E if and only ifS^E E R^e- 

Quantitative analysis. When a quantitative analysis of the system is required, then it is necessary to 
represent these properties using soft constraints. This can be done by simply considering a different semi- 
ring (see Sec. [3}, while the same considerations provided for the previous example with crisp constraints 
(by using the Classical semiring) still hold. 

With a quantitative analysis, now consider that we aim not only to have a correct implementation, 
but, if possible, to have the "best" possible implementation. We keep the photo editing example provided 
in Fig. [2] but we now represent the fact that constraints describe the reliability percentage, intended as the 
probability that a module will perform its intended function. For example, the following (probabilistic) 
soft constraint c\ : {outcomp, bwbyte} — » N — > [0, 1] shows how the compression reliability performed 
in BWFilter is linked to the initial and final number of bytes of the treated image: 

c\ tells us that the compression does not work if the input image is more than 4Mb, while is com- 
pletely reliable if is less than 1Mb. Otherwise, this probability depends on the compression efficiency: 
more that the image size is reduced during the compression, more that it is possible to experience some 
errors, and the reliability consequently decreases. For example, considering the definition of c\, if the 
input image is 4096Kb and compressed is 1024Kb, then the probability associated to this variable instan- 
tiation is 0.96. 

In the same way, we can define C2 and C3 that respectively shows the reliability for the REDFilter 
and Compression modules. Their composition Imp3 = c\ ®ci ®cz represents the global reliability of the 
system. If Memory Prob is the soft constraint representing the minimum reliability that the system must 
provide (e.g. Memory Proh is expressed by a client of the photo editing system), then if 



lmp2 Wil 



incom 



P ,outcomp} 2 Memory 



Memory C Imp3 



we are sure that the reliability requirements are entailed by our system. Moreover, by exploiting the 
notion of best level of consistency (see the blevel in Sec. [2]), we can find the best (i.e. the most reliable) 
implementation among those possible. 
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At last, notice also that the projection operator (i.e. the JJ- operator explained in Sec. [2]) can be used 
to model a sort of function declaration to the "outside world": soft constraints represent the internal 
implementation of the service, while projecting over some variables leads to the interface of the service, 
that is what is visible to the other software components. 



5 A Nonmonotonic seep Language for the Negotiation 

In this Section we present a formal language based on soft constraints [10]; the language is tied to the 
monitoring of QoS aspects, as shown in Subsec. 5.1 Given a soft constraint system as defined in Sec. [2] 



and any related constraint c, the syntax of agents in nmsccp is given in Fig. [3] P is the class of programs, 
F is the class of sequences of procedure declarations (or clauses), A is the class of agents, c ranges over 
constraints, X is a set of variables and Y is a tuple of variables. 

P::= FA 

F::= p(Y):;A\F.F 

A ::= success \ tell{c) >— > A \ retract{c) >— » A \ updatex{c) >— > A | E | A||A | 3xA \ p(Y) 

E ::= ask(c) >— > A | nask(c) >— > A | E + E 



Figure 3: Syntax of the nmsccp language. 

The >— > is a generic checked transition used by several actions of the language. Therefore, to simplify 
the rules in Fig. [5] we define a function cheeky, : a — > {true, false} (where a G "rf), that, parametrized 
with one of the four possible instances of >— > (C1-C4 in Fig. |4]), returns true if the conditions defined by 
the specific instance of >— > are satisfied, ox false otherwise. The conditions between parentheses in Fig. [4] 
claim that the lower threshold of the interval clearly cannot be "better" than the upper one, otherwise the 
condition is intrinsically wrong. 

In Fig. [4] CI checks if the a-consistency of the problem is between a\ and ai. In words, CI states 
that we need at least a solution as good as a\ entailed by the current store, but no solution better than ai\ 
therefore, we are sure that some solutions satisfy our needs, and none of these solutions is "too good". 



Cl: ^=^2 checMoU = ™f l ° U>S ^ C3: ~=^f check(a)^ = trueii I ° U>S ° 2 
(with a\ ^ a 2 ) (with <j)x JJ. a ^ a 2 ) 



C2: ^>=—>t 2 i check{p),-, = true if < ^ Qd; ^ = ^^ 2 check(o)^ = trueii < ^ ^ 2 

(with a\ ^ 02 JJ-0) (with h <h) 

Otherwise, within the same conditions in parentheses, check(o)^ = false 

Figure 4: Definition of the check function for each of the four checked transitions. 

To give an operational semantics to our language we need to describe an appropriate transition system 
(r, T, — >), where T is a set of possible configurations, T C T is the set of terminal configurations and 
— *C r x r is a binary relation between configurations. The set of configurations is Y = {(A, a)}, where 
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R4 



R5 



check(o ® c) 



(tell(c) >-»A,a) — > (A,o®c) 

<7 h c check(o)i-> 
(ask(c) >— > A, a) — > (A, a) 

(A || B, a) > (A' || i?, cr') 
(5||A,cr) — ><B||A',ct'> 

(A, a) — ► (success, a ) 
(A || B,a)^(B,&) 
(B\\A,a)^(B,a f ) 



(E h a) — » (Aj-,0 7 ) j e [l.ii 



Tell 



Ask 



Paralll 



Parall2 



R6 



R7 



R8 



R9 



RIO 



CTl/c check(a)^ 
(nask(c) >— » A, ct) — > (A, cr) 

cjCc a' = a©-c check(o')^ 
(ret met (c) ^A,a) — > (^O 7 ) 

CT' = (a JJ-(v\x)) ® c check(o')^ 
(update x (c) >— » A, a) — > (A, ff') 

Wy],q) — (f^') withy^ 



Nondet 

Figure 5: The transition system for nmsccp. 
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56? while the set of terminal configurations is instead T = {(jwccejj, a)}. The transition rules for the 
nmsccp language are defined in Fig. [5] 

In the following we provide a description of the transition rules in Fig. [5] For further details, please 
refer to iTTOll . In the Tell rule (Rl), if the store a 0c satisfies the conditions of the specific >— » transition of 
Fig. [4] then the agent evolves to the new agent A over the store G ® c. Therefore the constraint c is added 
to the store a. The conditions are checked on the (possible) next-step store: i.e. check(a')^. To apply 
the Ask rule (R2), we need to check if the current store a entails the constraint c and also if the current 
store is consistent with respect to the lower and upper thresholds defined by the specific >— » transition 
arrow: i.e. if check(a)^ is true. 

Parallelism and nondeterminism: the composition operators + and || respectively model nonde- 
terminism and parallelism. A parallel agent (rules R3 and R4) will succeed when both agents succeed. 
This operator is modelled in terms of interleaving (as in the classical ccp): each time, the agent A \\ B 
can execute only one between the initial enabled actions of A and B (R3); a parallel agent will succeed if 
all the composing agents succeed (R4). The nondeterministic rule R5 chooses one of the agents whose 
guard succeeds, and clearly gives rise to global nondeterminism. The Nask rule is needed to infer the 
absence of a statement whenever it cannot be derived from the current state: the semantics in R6 shows 
that the rule is enabled when the consistency interval satisfies the current store (as for the ask), and c is 
not entailed by the store: i.e. o %c. Retract: with R7 we are able to "remove" the constraint c from 
the store a, using the &- constraint division function defined in Sec. [2] According to R7, we require that 
the constraint c is entailed by the store, i.e. a C c. The semantics of Update rule (R8) [11] resembles 
the assignment operation in imperative programming languages: given an updatex(c), for every x G X 
it removes the influence over x of each constraint in which x is involved, and finally a new constraint 
c is added to the store. To remove the information concerning all x G X, we project (see Sec. [2]) the 
current store on V\X, where V is the set of all the variables of the problem and X is a parameter of the 
rule (projecting means eliminating some variables). At last, the levels of consistency are checked on the 
obtained store, i.e. check(c')^,. Notice that all the removals and the constraint addition are transactional, 
since are executed in the same rule. Hidden variables: the semantics of the existential quantifier in R9 
can be described by using the notion of freshness of the new variable added to the store ifTOl . Procedure 



S. Bistarelli & F. Santini 



61 



preference 
1 

0.5 



Provider's soft 


Client's soft 


constraint 


constraint 




c p 














\ P 





4 5 6 7 8 9 



x (resource) 



Figure 6: The graphical interpretation of a fuzzy agreement. 



calls: the semantics of the procedure call (RIO) has already been defined in [8]: the notion of diagonal 
constraints (as defined in Sec. [2]) is used to model parameter passing. 



5.1 Example 

One application of the nmsccp language is to model generic entities negotiating a formal agreement, i.e. a 
SLA dEO, where the level of service is formally defined. The main task consists in accomplishing the 
requests of all the agents by satisfying their QoS requirements. Considering the fuzzy negotiation in 
Fig.[6](,Fwzzy semiring: ([0, l},max,min,0, 1)) both a provider and a client (offering and acquiring a web 
service, for example) can add their request to the store a (respectively tell(c p ) and tell(c c )): the thick 
line represents the consistency of a after the composition (i.e. miri), and the blevel of this SCSP (see 
Sec. [2]) is the max, where both requests intersects (i.e. in 0.5). 

We present three short examples to suggest possible negotiation scenarios. We suppose there are two 
distinct companies (e.g. providers P\ and P2) that want to merge their services in a sort of pipeline, in 
order to offer to their clients a single structured service: e.g. Pi completes the functionalities of fy. This 
example models the cross-domain management of services proposed in [ 1 ]. The variable x represents the 
global number of failures they can sustain during the service provision, while the preference models the 
number of hours (or a money cost in hundreds of euros) needed to manage them and recover from them. 
The preference interval on transition arrows models the fact that both Pi and P2 explicitly want to spend 
some time to manage the failures (the upper bound in Fig. [4]), but not so much time (lower bound in 
Fig. [4]). We will use the Weighted semiring and the soft constraints given in Fig. [7] Even if the examples 
are based on a single criterion (i.e. the number of hours) for sake of simplicity, they can be extended to 
the multicriteria case, where the preference is expressed as a tuple of incomparable criteria. 

Example 5.1 (Tell and negotiation) Pi and P2 both want to present their policy (respectively repre- 
sented by c\ and c$) to the other party and to find a shared agreement on the service (i.e. a SLA). Their 
agent description is: Pi = {tell(c^) — >2> tell{s P 2) — >2> ask(s p \) success)\\{tell(c^j — >° tell(s p \) — >Z, 
ask(s p 2) — >\ success) = P% executed in the store with empty support (i.e. 0). Variables s p \ and s p i are 
used only for synchronization and thus will be ignored in the following considerations (e.g. replaced by 



the SYNCHRO] agents in Ex. 5.2). The final store (the merge of the two policies) is O = (04(8)03) = 
2x-\-x + 5, and since O JJ-0= 5 is not included in the last preference interval of P2 (between 1 and A), 
P2 does not succeed and a shared agreement cannot be found. The practical reason is that the failure 
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ci : ({x} -» N) -> M + s.t. ci(jc)=x+3 c 2 : (M -> N) R + s.t. c 2 (y) = y + 1 

c 3 : ({x} -» N) -> R+ s.t. c 3 (x) = 2x c 4 : ({x} -» N) -» R+ s.t. c 4 (x) = x + 5 

Figure 7: Four Weighted soft constraints. 

management systems ofP\ need at least 5 hours (i.e. c\ = x + 5) even if no failures happen (i.e. x = 0). 
Notice that the last interval of Pi requires that at least 1 hour is spent to check failures. 

Example 5.2 (Retract) After some time ( still considering Ex. \5. 1\ , suppose that P\ wants to relax the 
store, because its policy is changed: this change can be performed from an interactive console or by 
embedding timing mechanisms in the language as explained in The removal is accomplished by 
retracting c\, which means that P\ has improved its failure management systems. Notice that c\ has 
not ever been added to the store before, so this retraction behaves as a relaxation; partial removal 
is clearly important in a negotiation process. P\ = (tell(c4) — »2> SYNCHROp\ retract (c\) — >\ Q 
success)\\{tell(c 3 ) ->° SYNCHRO P2 -*\ success) = P2 is executed in 0. The final store is o = C4 (8> 
C3 9-ci = 2x + 2, and since O 4J-©= 2, both P\ and P2 now succeed (it is included in both intervals). 

Example 5.3 (Update) The update can instead be used for substantial changes of the policy: for ex- 
ample, suppose that P\ = {tell(c\) — >° update [ x }{c2) success. 0). This agent succeeds in the store 
0(%>ci JJ-(v\{ x }) 0C2, where c\ 4J-(v\{jt}) = 3 and 3®C2 =y + 4 (i.e. the polynomial describing the final 
store). Therefore, the first policy based on the number of failures (i.e. c\) is updated such that x is 
"refreshed" and the newly added policy (i.e. C2) depends only on the number y of system reboots. The 
consistency level of the store (i.e. the number of hours) now depends only on the y variable of the SCSP 
Notice that the 3 component of the final store derives from the "old" c\, meaning that some fixed man- 
agement delays are included also in this new policy. 

6 Related Work 

There exist already several proposals for languages which allow to specify (Web) services and their com- 
position, at different levels of abstractions, ranging from description languages such as WSDL (which al- 
lows to describe services essentially as collections of ports), to orchestration languages (XLANG, WSFL 
and WS-BPEL) and choreography languages (WS-CDL and BPEL4Chor) which allow to define compo- 
sition of services either in terms of a centralized meta-service (the orchestrator) or by considering the 
reciprocal interactions (the choreography) among the different services (without centralization). There 
exist also some specific proposals [fl3J[T3) for describing contracts and their relevant properties. However 
a general, established theory of contracts is still missing. Furthermore most languages do not take into 
account SLAs, that is aspects of contracts such as cost, performance or availability, which are related to 
QoS. 

Other papers have been proposed in order to study dependability aspects in SOAs, for example by 
using the Architecture Analysis and Design Language (AADL). In [26] the authors purpose a modeling 
framework allowing the generation of dependability-oriented analytical models from AADL models, 
to facilitate the evaluation of dependability measures, such as reliability or availability. The AADL 
dependability model is transformed into a Generalized Stochastic Petri Net (GSPN) by applying model 
transformation rules. 
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The frameworks presented in this paper can join the other formal approaches for architectural no- 
tations: Graph-Based, Logic-Based and Process Algebraic approaches lTT2l . A formal foundation un- 
derlying is definitely important, since, for example, UML alone can offer a number of alternatives for 
representing architectures: therefore, this lack of precision can lead to a semantic misunderstanding of 
the described architectural model |fl9l . Compared to other formal methods lfT2l . constraints are very ex- 
pressive and close to the human way of describing properties and relationships; in addition, their solution 
techniques have a long and successful history ll25ll . The qualitative/quantitative architectural evaluation 
can be accomplished by considering different semirings (see Sec [2]): our framework is highly parametric 
and can consequently deal with different QoS metrics, as long as they can be represented as semirings. 

Other works have studied the problem of issuing requests to a composition of web services as a crisp 
constraint-based problem ll22ll . but without optimizing non-functional aspects of services, as we instead 
do with (semiring-based) soft constraints. For a more precise survey on the architectural description of 
dependable software systems, please refer to [18]. The most direct comparison for nmsccp in Sec. [5] is 
with the work in lfl4l . in which soft constraints are combined with a name -passing calculus. The most 
important difference is that in nmsccp we do not have the concept of constraint token and it is possible to 
remove every c that is entailed by the store, even if c is syntactically different from all the c previously 
added. 



7 Conclusions and Future Work 



We have proved that soft constraints and their related operators (e.g. (g), Q-, JJ. in Sec. [2]) can model and 
manage the composition of services in SOAs by taking in account QoS metrics. The key idea is that 
constraint relationships model the implementation of a service component (described as a policy), while 
the "softness" (i.e. the preference value associated with the soft constraint) represents one or more QoS 
measures, as reliability, availability and so on (see Sec. [3]>. In this way, the composition of services 
can be monitored and checked, and the best quality result can be found on this integration. It may also 
be desirable to describe constraints and capabilities (also, "policy") regarding security: a web service 
specification could require that, for example, "you MUST use HTTP Authentication and MAY use GZIP 
compression". 

Two different but very close contributions are collected in this work. The first contribution in Sec. [4] 
is that the use of soft constraints permits one to perform a quantitative analysis of system integrity. The 
second contribution, explained in Sec. [5] proposes the use of a formal language based on soft constraints 
in order to model the composition of different service components while monitoring QoS aspects at the 
same time. 

All the models and techniques presented in this work can be implemented and integrated together in 
a suite of tools, in order to manage and monitor QoS while building SOAs. To accomplish this task, we 
could extend an existent solver such as Gecode [29], which is an open, free, portable, accessible, and 
efficient environment for developing constraint-based systems and applications. The main results would 
be the development of a SOA query engine, that would use the constraint satisfaction solver to select 
which available service will satisfy a given query. It would also look for complex services by composing 
together simpler service interfaces. 
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